+\begin{slide}
+ \head{PRFs are MACs, \seq: MACs aren't PRFs}
+
+ The converse of our result is not true. Suppose $\mathcal{M} = (T, V)$ is
+ a deterministic MAC. Choose some integer $n$. Then define $\mathcal{M}' =
+ (T', V')$, as follows:
+ \[ T'_K(x) = 0^n \cat T_K(x); \qquad
+ V'_K(x, \tau) = \begin{cases}
+ 1 & if $T'_K(x) = \tau$ \\
+ 0 & otherwise
+ \end{cases}.
+ \]
+ $T'$ is obviously not a PRF: an adversary checking for the string of $n$
+ zero bits on the output will succeed with advantage $1 - 2^{-qn}$.
+
+ However, $\mathcal{M}'$ is a secure MAC. Suppose $A'$ attacks
+ $\mathcal{M}'$.
+ \begin{program}
+ Adversary $A^{T(\cdot), V(\cdot)}$: \+ \\
+ $(m, \tau') \gets A'^{\id{tag}(\cdot), \id{verify}(\cdot)}$; \\
+ \PARSE $\tau'$ \AS $n\colon z, \tau$; \\
+ \RETURN $(m, \tau)$;
+ \next
+ Oracle $\id{tag}(m)$: \+ \\
+ \RETURN $0^n \cat T(m)$; \- \\[\smallskipamount]
+ Oracle $\id{verify}(m, \tau')$: \+ \\
+ \PARSE $\tau'$ \AS $n\colon z, \tau$; \\
+ \IF $z \ne 0^n$ \THEN \RETURN $0$; \\
+ \ELSE \RETURN $V(m, \tau)$;
+ \end{program}
+\end{slide}
+